update unbound

3 files changed, 28 insertions, 4 deletions

diff --git a/external/unbound/daemon/daemon.c b/external/unbound/daemon/daemon.c
index 0cd37ae82..e763f724e 100644
--- a/external/unbound/daemon/daemon.c
+++ b/external/unbound/daemon/daemon.c
@@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* daemon)
 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
 	
 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
+	if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) {
+		log_warn("cannot reduce num-threads to %d because so-reuseport "
+			"so continuing with %d threads.", (int)daemon->num,
+			(int)daemon->num_ports);
+		daemon->num = (int)daemon->num_ports;
+	}
 	daemon->workers = (struct worker**)calloc((size_t)daemon->num, 
 		sizeof(struct worker*));
 	if(daemon->cfg->dnstap) {
@@ -464,7 +470,7 @@ thread_start(void* arg)
 #endif
 #ifdef SO_REUSEPORT
 	if(worker->daemon->cfg->so_reuseport)
-		port_num = worker->thread_num;
+		port_num = worker->thread_num % worker->daemon->num_ports;
 	else
 		port_num = 0;
 #endif
diff --git a/external/unbound/daemon/remote.c b/external/unbound/daemon/remote.c
index 93d0eda28..300948b32 100644
--- a/external/unbound/daemon/remote.c
+++ b/external/unbound/daemon/remote.c
@@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
 		goto setup_error;
 	}
 	verbose(VERB_ALGO, "setup SSL certificates");
-	if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
+	if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
 		log_err("Error for server-cert-file: %s", s_cert);
-		log_crypto_err("Error in SSL_CTX use_certificate_file");
+		log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
 		goto setup_error;
 	}
 	if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
@@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
 		log_crypto_err("Error in SSL_CTX check_private_key");
 		goto setup_error;
 	}
+#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+	if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
+		log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
+	}
+#elif defined(USE_ECDSA)
+	if(1) {
+		EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+		if (!ecdh) {
+			log_crypto_err("could not find p256, not enabling ECDHE");
+		} else {
+			if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
+				log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
+			}
+			EC_KEY_free (ecdh);
+		}
+	}
+#endif
 	if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
 		log_crypto_err("Error setting up SSL_CTX verify locations");
 	setup_error:
@@ -1683,6 +1700,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
 			}
 		}
 	}
+	dp->has_parent_side_NS = 1;
 	return dp;
 }
 
diff --git a/external/unbound/daemon/worker.c b/external/unbound/daemon/worker.c
index f4e87289a..79aec4d3a 100644
--- a/external/unbound/daemon/worker.c
+++ b/external/unbound/daemon/worker.c
@@ -568,7 +568,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type == 
 		htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type == 
 		htons(LDNS_RR_TYPE_DNAME))) {
-		if(!reply_check_cname_chain(rep)) {
+		if(!reply_check_cname_chain(qinfo, rep)) {
 			/* cname chain invalid, redo iterator steps */
 			verbose(VERB_ALGO, "Cache reply: cname chain broken");
 		bail_out: